One Year Later: Why HR Leaders Should Still Be Paying Attention to GDPR
GDPR has now been in effect for more than a year. How has the compliance landscape changed? What can organizations expect in the coming months?
The General Data Protection Regulation (GDPR) was one of the biggest tech topics of 2018. So, where are we on this issue now? Organizations must understand how the regulation has impacted businesses, where enforcement of these regulation stands, and — regarding the GDPR and HR — what tools a department can use to avoid running afoul of the regulation.
Many organizations are still coming to terms with the GDPR and its implications. As a refresher, the GDPR replaced the EU's Data Protection Directive. While the GDPR was meant to create consistency across the EU's 28 member states, variations exist today in how individual data protection authorities are choosing to interpret and apply the regulation.
The GDPR's Brief History
If you find yourself confused about GDPR, you're not alone. "We've received a lot of questions from clients for a better understanding of what we've done at ADP in terms of implementing and operationalizing GDPR within our organization," says Cécile Georges, Global Chief Privacy Officer at ADP. "A lot of clients clearly have GDPR in their checklist. They want to make sure that we can help them comply with GDPR."
There remains an incomplete picture of GDPR enforcement, as well. According to a recent report from DLA Piper, regulators have been notified about 59,000 personal data breaches; of those, only 91 have resulted in fines. So far, the most notable fine was issued by the French data regulations organization, CNIL, to a technology company that did not provide sufficient notice to users about how it personalizes search engine advertising based on their data.
With limited precedent and sparse enforcement, we'll undoubtedly see more fines as EU regulators plow through backlog cases. "It will take time for regulators to identify which complaints are serious and have some substance, investigate those matters, then potentially apply fines," adds Georges.
An Approved Data Transfer Mechanism
Given the lack of enforcement activity, there's a great deal of caution and anxiety around a change of this magnitude to the regulatory landscape. Consequently, some businesses may find themselves unsure of how to maintain compliance with GDPR — they might lack the people, processes or technology needed to champion and ensure compliance. This can be particularly problematic if one considers interactions between the GDPR and HR, as there is often a need to transfer data covered by the regulation outside of the EU.
Depending on your organization's operating footprint, Binding Corporate Rules (BCRs) may be able to help. BCRs are corporate policies that govern internal data transfers within a group of businesses under the same parent.
To put BCRs in place, they must first be approved by European data protection regulators. Furthermore, BCRs must conform to the GDPR's requirements including transparency, security and lawfulness of data processing.
As such, organizations that wish to take advantage of BCRs must invest in processes and technologies to ensure that internal data transfers comply with GDPR and the principles of the BCR. "We have implemented BCRs to allow for the transfer of personal data to any location outside of the EU without having to go through multiple contracts to document such transfers," says Georges. "It's a very strong commitment from ADP to comply with the requirements of the GDPR through the implementation of BCRs while processing any personal data, whether it pertains to our clients' employees, our business contacts or our own associates."
The Advantages of Outsourcing
Given the inherent challenges of complying with the GDPR, many businesses are turning to human capital management (HCM) solution providers for assistance. Since an organization may not have the technical expertise or resources to comply with the GDPR, outsourcing HR data processing to a cloud-based HCM provider can dramatically reduce the compliance burden.
For example, an HCM provider could assume responsibility for assisting with the transfer of personal data out of the EU, and documenting some of the compliance activites.
While GDPR compliance poses a significant challenge, with the right HCM partner, this seemingly insurmountable issue can become a manageable one.
Learn more about GDPR and its impact on HR and payroll.